T1598: Phishing for Information
Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from Phishing in that the objective is gathering data from the victim rather than executing malicious code.
All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.
Adversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.[1][2][3][4][5] Victims may also receive phishing messages that direct them to call a phone number where the adversary attempts to collect confidential information.[6]
Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages. Another way to accomplish this is by Email Spoofing[7] the identity of the sender, which can be used to fool both the human recipient as well as automated security tools.[8]
Phishing for information may also involve evasive techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., Email Hiding Rules).[9][10]
Analyst context for executives and security teams
Phishing for Information is reconnaissance-stage social engineering aimed at getting people to reveal credentials or other useful targeting data, rather than immediately running malware. For leaders, the risk is that an incident may begin before endpoint alerts exist: the decisive evidence is often in email, messaging, identity, help desk, or voice-channel records and in how quickly users report suspicious requests.
Executive priority
Prioritize this as a business-resilience and identity-risk issue, not only an email-security issue. The ATT&CK object ties the behavior to credential harvesting, spoofed senders, third-party services, attachments, links, and voice/callback lures. Executives should ask whether the organization can prove training effectiveness, preserve message and call evidence, identify spoofing or compromised-account abuse, and respond when sensitive information may have been disclosed. ATT&CK also maps use of this technique to multiple named groups, which supports threat-informed prioritization without implying current exposure.
Technical view
T1598 is an enterprise reconnaissance technique on the PRE platform. MITRE provides no official detection text, but a related detection strategy, DET0823, exists. SOC and IR teams should validate coverage across the subtechnique patterns: spearphishing via service, attachment, link, and voice. Focus on evidence that shows solicitation of credentials or actionable information, sender impersonation or spoofing, urgent repeated requests, suspicious links or attachments, callback phone numbers, and possible mailbox manipulation such as hiding rules or header/metadata changes from compromised accounts.
Likely telemetry
- Inbound and outbound email message metadata, headers, authentication results, and sender/display-name details
- Email security gateway or mail platform logs for links, attachments, spoofing indicators, and user-reported messages
- Collaboration, instant messaging, and third-party service message logs where available
- Web proxy, DNS, and browser telemetry for visits to suspected credential collection pages referenced in messages
- Identity and cloud email audit logs, including OAuth application activity and mailbox rule changes where applicable
Detection direction
- Because MITRE does not provide official detection guidance for this object, validate local detections against DET0823 and the four listed subtechniques rather than assuming email-only coverage.
- Tune for phishing that seeks disclosure of information without malware execution; endpoint detections alone may miss the reconnaissance objective.
- Correlate suspicious messages with identity events, mailbox rule changes, OAuth application activity, and user reports to distinguish credential-harvesting or account-abuse preparation from ordinary spam.
- Review false positives around legitimate urgent business requests, third-party services, and help desk workflows; detections should preserve context for analyst review rather than rely only on single keywords.
- Include voice/callback and messaging channels in incident intake, since ATT&CK explicitly includes phone-number lures and electronic conversations beyond email.
Mitigation priorities
- Use M1017 User Training to teach employees and contractors how to recognize, verify, and report requests for credentials or sensitive business information, including urgent messages, spoofed identities, links, attachments, third-party services, and voice callbacks.
- Use M1054 Software Configuration to review security settings for email, collaboration, cloud mail, and related applications so they reduce spoofing, suspicious attachment/link exposure, and compromised-account misuse where supported.
- Sequence controls around reporting and response: make reporting easy, preserve original messages and headers, and define IR actions for suspected disclosure of credentials or other actionable information.
- Periodically test whether training, reporting paths, and configured controls produce usable evidence for SOC triage and compliance documentation.
Analyst notes and limits
Relationship context adds useful scoping: subtechniques cover service, attachment, link, and voice variants; mitigations are User Training and Software Configuration; several ATT&CK groups are mapped as using the technique. Treat those group relationships as threat-intelligence context, not proof of current targeting. The most important local validation question is whether the organization can see and investigate information-seeking social engineering before it becomes a later-stage identity or access incident.
The supplied ATT&CK object has no official detection section and does not provide environment-specific indicators, control settings, or guaranteed telemetry sources. Coverage depends on local email, messaging, identity, cloud, telephony, logging retention, and reporting processes. This take uses only the supplied ATT&CK fields, references, and relationships and does not assert active exploitation or customer exposure.
Phishing for Information
Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from Phishing in that the objective is gathering data from the victim rather than executing malicious code.
All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.
Adversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.[1][2][3][4][5] Victims may also receive phishing messages that direct them to call a phone number where the adversary attempts to collect confidential information.[6]
Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages. Another way to accomplish this is by Email Spoofing[7] the identity of the sender, which can be used to fool both the human recipient as well as automated security tools.[8]
Phishing for information may also involve evasive techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., Email Hiding Rules).[9][10]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.4 | Current bundle | 0eb8f4dadcf5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ThreatPost Social Media Phishing
O'Donnell, L. (2020, October 20). Facebook: A Top Launching Pad For Phishing Attacks. Retrieved October 20, 2020.
Open source URL -
[2]
TrendMictro Phishing
Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved October 20, 2020.
Open source URL -
[3]
PCMag FakeLogin
Kan, M. (2019, October 24). Hackers Try to Phish United Nations Staffers With Fake Login Pages. Retrieved October 20, 2020.
Open source URL -
[4]
Sophos Attachment
Ducklin, P. (2020, October 2). Serious Security: Phishing without links – when phishers bring along their own web pages. Retrieved October 20, 2020.
Open source URL -
[5]
GitHub Phishery
Ryan Hanson. (2016, September 24). phishery. Retrieved October 23, 2020.
Open source URL -
[6]
Avertium callback phishing
Avertium. (n.d.). EVERYTHING YOU NEED TO KNOW ABOUT CALLBACK PHISHING. Retrieved February 2, 2023.
Open source URL -
[7]
Proofpoint-spoof
Proofpoint. (n.d.). What Is Email Spoofing?. Retrieved February 24, 2023.
Open source URL -
[8]
cyberproof-double-bounce
Itkin, Liora. (2022, September 1). Double-bounced attacks with email spoofing . Retrieved February 24, 2023.
Open source URL -
[9]
Microsoft OAuth Spam 2022
Microsoft. (2023, September 22). Malicious OAuth applications abuse cloud email services to spread spam. Retrieved March 13, 2023.
Open source URL -
[10]
Palo Alto Unit 42 VBA Infostealer 2014
Vicky Ray and Rob Downs. (2014, October 29). Examining a VBA-Initiated Infostealer Campaign. Retrieved March 13, 2023.
Open source URL -
[11]
mitre-attack T1598Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.